In the rapidly evolving world of VPNs, some service providers are trying things that defy easy classification yet can be a good match for particular firms.

Conventional VPN service providers -- if you can use that term for such a young market -- manage equipment they set up at your sites and issue VPN clients to dial-up users. WorldCom, for instance, offers this style of service, and absent the outsourced management, this is similar to what you might do if you built your own VPN.

Other conventional service providers start the VPN within their network so the secure tunnels created by the VPN end at the provider's point of presence (POP), not at customer sites. Customer traffic runs over unsecured access links between POPs and customer sites. The argument for this model is that these links are secure enough.

Some upstarts offer VPN services based on other, less-conventional models. For instance, CoreExpress is building a backbone network and guarantees quality of service across it using its own network tied to the access networks of AT&T, Genuity, Sprint and UUNET.

At the moment, customers still have to install their own VPN gear at the ends of the connections, but they get guaranteed network performance because the traffic flows over CoreExpress' network, not the Internet. Within six months the company plans to offer VPN services through agreements with other vendors, according to Greg Davis, vice president of marketing.

CoreExpress leases fiber links from two carriers, Williams Communications and Level 3 Communications, and lights it up with Sycamore optical core switches that it feeds with Juniper edge routers and Cisco core routers. Customers must buy Internet access from one of the four ISPs. Before accepting a customer site and making service-level commitments, CoreExpress tests how fast traffic gets from customer sites to the CoreExpress edge routers. If it is not fast enough to support a maximum site-to-site delay of less than 150 msec, CoreExpress won't provide the service.

This service is attractive to Magellan Health Care, which manages mental health and substance abuse care for health plans, insurance companies and large employers. As Magellan gets new clients, it needs to tie them into the firm's network, generally within 60 days.

That's not enough time to get a frame relay connection, the firm's traditional way to connect sites. But it is enough to get a dial-up connection to one of the ISPs, says Bob Odenheimer, Magellan's senior vice president for IT, operations and telecommunications. Dual ISDN lines offer 256K bit/sec links to an ISP, he says, and the CoreExpress backbone gives the performance that customers need. "Our customers have certain expectations: They need faster-than-normal Internet response times, and they need consistent response times," Odenheimer says, adding that CoreExpress provides both.

He wants VPN protection for his net and talked to CoreExpress about installing such security on the PC-based network-monitoring devices CoreExpress places at each customer site. "It's a Linux box, and it wouldn't be difficult to build in VPN protection," he says.

OpenReach is another VPN service provider customers can turn to when they need connections to new sites installed quickly, says Andrew Yashchuk, network director for NeBo, an Oakbrook Terrace, Ill., firm that links medical facilities to its data center and to insurance companies. If a customer site has a 'Net connection, he can tie it into the NeBo VPN within days.

OpenReach sells software that customers load on PCs to create IP Security VPN gateways they install at each site. OpenReach's network operations center assigns each gateway an IP address and acts as a certificate authority for authenticating sites with each other.

OpenReach charges a flat monthly fee between $300 and $1,000 per month per site, depending on the speed of the site's Internet connection.

"Our main reasons for using the service are the price for the bandwidth and the speed of installation," Yashchuk says. "We can get a hospital up and running without getting involved with the phone company and with a minimum involvement of the hospital's IT staff."

Another upstart that is attractive for speed of installation is Exario, which specializes in DSL connections. Exario goes to other service providers and buys DSL connections to customer sites, eliminating that often considerable hassle. It manages network-based firewalls, authentication and encryption, and runs a Web site where corporate telecommuters get step-by-step instructions on how to join the corporate VPN.

Exario is notable for taking the virtual out of VPN, says Kevin Murray, CIO of insurance firm AIG. "This is private DSL as opposed to a virtually private session where you are just slightly separated from the public Internet," Murray says. "That's important to me if I'm running a business application with sensitive data or if I need known performance characteristics." To give this service, Exario runs its national Multi-protocol Label Switching-based net on leased fiber.

SmartPipes is a new provider with its own take on VPNs: Make it easy to manage these networks, and you will attract customers. Its technology lifts the burden of having to configure VPN policy changes device by device via command-line interfaces, reducing errors and saving staff time, the company says.

Instead, customers log the IP addresses and configuration data about their Cisco routers and Windows 2000 VPN clients into SmartPipes' Policy Engine and can make policy changes using a graphical interface on a secure Web page. The policy engine then reconfigures all the network devices to reflect the changes.

"It's much easier to manage when it's graphically put up there," says Scott Singer, CTO of systems integrator Native American Systems. And it works across any ISP.

In addition, the system will kick back policy changes that the VPN gear cannot support.

There are other companies pushing unique VPN services or pieces of services, and customers have to ask, "When do I look at these guys vs. the more conventional providers with CPE-based or network-based services?" says Jeff Phillips, an analyst with TeleChoice.

He notes that providers such as OpenReach and CoreExpress make it relatively easy to set up business-to-business extranets. Others, such as CoreExpress and Exario, offer service quality guarantees, something that cannot be done yet over the Internet.

Phillips says these firms are untested but are positioned well if demand for building VPN extranets increases.

This story, "Upstart VPN services staking out new ground" was originally published by
Network World.